Skip to main content

Dangerous new malware infects thousands of enterprise devices

(Image credit: Shutterstock)

Thousands of enterprise devices around the world are being targeted by a new malware campaign dubbed Blue Mockingbird. 

Once infected, this malware downloads and installs additional payloads that use the device to mine Monero cryptocurrency, which is then sent to the hackers.

According to researchers at cloud security firm Red Canary, this vulnerability has been active since last December and has continued till April. The hackers reportedly target vulnerable public-facing servers that use the Telerik UI framework.

Once the hackers get access to the system, they use JuicyPotato technique to gain admin-level access and deploy Monero-mining tool XMRIG packaged as a DLL on Windows systems.

Blue Mockingbird

If the affected servers are found to be connected to a company’s internal network, the hackers reportedly attempt to spread the malware within the network using Remote Desktop Protocol (RDP) or Server Message Block (SMB) connections.

Researchers believe that the outdated version of Telerik UI, which is a part of ASP.Net-based server applications, could be the real culprit behind this vulnerability. 

Red Canary's report states that while the hackers are targeting smaller organisations, they may have already impacted several thousand devices. The actual number of infected devices could be more since companies that are considered to be safe are also prone to this crypto mining attack.

"Like any security company, we have limited visibility into the threat landscape and no way of accurately knowing the full scope of this threat," Red Canary noted in a statement.

"This threat, in particular, has affected a very small percentage of the organisations whose endpoints we monitor. However, we observed roughly 1,000 infections within those organisations, and over a short amount of time."

In order to block such threats, the researchers suggest patching web servers and web applications, adding that if this is not possible, these attempts should be blocked at the initial level itself by using a firewall. 

Via: ZDNet